Over the years I've developed my own private Perl web login module. It takes a username or email address and password, checks it against the database, and creates the cookies. It has a 'forgot my password' option which is reasonably secure (of course it assumes that the email address of record is secure, but that's unavoidable). It uses MD5 to store passwords so there's no plaintext option, and I think it's "secure enough" for most Web apps. I wrote the initial code many years ago and have been tweaking it and adapting it but never released it as its own module, which I'd like to finally get around to doing.
But I'm afraid I may have "missed a spot" security-wise and would like someone who's a little more of an expert in that area to see if they can find any holes in its design or implementation that would be unacceptable. Any takers?
